A proof of concept (PoC) attack was announced today dubbed “SmashEx”. This attack targets a recently disclosed vulnerability, CVE-2021-0186, and can corrupt and break integrity of private data in Intel Software Guard Extension (SGX) processors. The vulnerability was discovered by a collaboration of researchers from ETH Zurich, the National University of Singapore, and the China National University of Defense Technology in May 2021. CVE-2021-0186 can be used to access sensitive information by bypassing isolation within Intel SGX chips that maintain a secure enclave, dubbed a Trusted Execution Environment (TEE). The TEE is intended to block access to confidential information, even by system level processes. CVE-2021-0186 allows for attackers to take advantage of Outside Calls, which allow enclave functions to call out to the untrusted application and then return to the enclave, to inject asynchronous exceptions into control flow in order to access sensitive data or execute arbitrary code.
Analyst Notes
There are no reports that the vulnerability has been exploited in the wild. Intel has released software updates to mitigate the vulnerability with versions 2.13 and 2.14 for its Windows and Linux SGX SDK. Microsoft addressed the original reporting of the CVE in its July Patch Tuesday update. Enabling defenses such as Address Space Layout Randomization (ASLR), as well as Stack Canary protection, make such attacks more difficult, but not impossible to execute. Organizations are advised to ensure such protections are enabled where possible and to update as additional updates are integrated into code and provided by vendors.
https://thehackernews.com/2021/10/researchers-break-intel-sgx-with-new.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00548.html
https://jasonyu1996.github.io/SmashEx/
https://arxiv.org/abs/2110.06657
